ID
VAR-200403-0025
CVE
CVE-2004-0039
TITLE
HTTP Parsing Vulnerabilities in Check Point Firewall-1
Trust: 0.8
DESCRIPTION
Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. Check Point Firewall-1 is a high-performance firewall. An unsuccessful attack will destroy all connected HTTP sessions and stop WEB communication. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HTTP Parsing Vulnerabilities in Check Point Firewall-1 Original release date: February 05, 2004 Last revised: -- Source: US-CERT A complete revision history can be found at the end of this file. This allows the attacker to take control of the firewall, and in some cases, to also control the server it runs on. I. Description The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf(). Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. For more information, please see the ISS advisory at: http://xforce.iss.net/xforce/alerts/id/162 The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039. II. Failed attempts to exploit this vulnerability may cause the firewall to crash. III. It is unclear at this time whether there are other attack vectors that may still allow exploitation of the underlying software defect. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate. _________________________________________________________________ This vulnerability was discovered and researched by Mark Dowd of ISS X-Force. _________________________________________________________________ This document was written by Jeffrey P. Lanza. _________________________________________________________________ This document is available from: http://www.us-cert.gov/cas/techalerts/TA04-036A.html _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Revision History Feb 05, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAIsBMXlvNRxAkFWARApI0AKD4vWl9qb4hYtEr+zlkUScaY3PFcwCfRXcG pglRULK2zVbnACsvG9+BEog= =6SAE -----END PGP SIGNATURE-----
Trust: 2.79
AFFECTED PRODUCTS
| vendor: | checkpoint | model: | firewall-1 | scope: | eq | version: | * | Trust: 1.0 |
| vendor: | check point | model: | - | scope: | - | version: | - | Trust: 0.8 |
| vendor: | check point | model: | vpn-1/firewall-1 | scope: | eq | version: | ng fp2 | Trust: 0.8 |
| vendor: | check point | model: | vpn-1/firewall-1 | scope: | eq | version: | ng fp3 | Trust: 0.8 |
| vendor: | check point | model: | vpn-1/firewall-1 | scope: | eq | version: | ng with application intelligence | Trust: 0.8 |
| vendor: | check point | model: | vpn-1/firewall-1 | scope: | eq | version: | ng with application intelligence (r55) | Trust: 0.8 |
| vendor: | checkpoint | model: | firewall-1 | scope: | - | version: | - | Trust: 0.6 |
| vendor: | check | model: | point software nokia voyager | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | check | model: | point software ng-ai r55 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software ng-ai r54 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software ng-ai | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software next generation fp3 hf2 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software next generation fp3 hf1 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software next generation fp3 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software next generation fp2 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software next generation fp1 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 sp6 | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 sp5 | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 sp4 | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 sp3 | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 sp2 | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 sp1 | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 | scope: | eq | version: | 4.1 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | NVD-CWE-Other | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.7
TYPE
input validation
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | FireWall-1 HTTP Security Server Vulnerability | url: | http://www.checkpoint.com/services/techsupport/alerts/security_server.html | Trust: 0.8 |
| title: | FireWall-1 HTTP セキュリティ・サーバの脆弱性 | url: | http://www.checkpoint.co.jp/techsupport/alerts/security_server.html | Trust: 0.8 |
EXTERNAL IDS
| db: | CERT/CC | id: | VU#790771 | Trust: 3.3 |
| db: | NVD | id: | CVE-2004-0039 | Trust: 2.8 |
| db: | BID | id: | 9581 | Trust: 2.8 |
| db: | USCERT | id: | TA04-036A | Trust: 2.6 |
| db: | XF | id: | 14149 | Trust: 2.2 |
| db: | SECUNIA | id: | 10794 | Trust: 0.8 |
| db: | JVNDB | id: | JVNDB-2004-000032 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-200403-032 | Trust: 0.7 |
| db: | CERT/CC | id: | TA04-036A | Trust: 0.6 |
| db: | ISS | id: | 20040204 CHECKPOINT FIREWALL-1 HTTP PARSING FORMAT STRING VULNERABILITIES | Trust: 0.6 |
| db: | XF | id: | 1 | Trust: 0.6 |
| db: | BUGTRAQ | id: | 20040205 TWO CHECKPOINT FW-1/VPN-1 VULNS | Trust: 0.6 |
| db: | CIAC | id: | O-072 | Trust: 0.6 |
| db: | VULHUB | id: | VHN-8469 | Trust: 0.1 |
| db: | PACKETSTORM | id: | 32633 | Trust: 0.1 |
REFERENCES
| url: | http://xforce.iss.net/xforce/alerts/id/162 | Trust: 3.7 |
| url: | http://www.checkpoint.com/techsupport/alerts/security_server.html | Trust: 2.9 |
| url: | http://www.us-cert.gov/cas/techalerts/ta04-036a.html | Trust: 2.6 |
| url: | http://www.securityfocus.com/bid/9581 | Trust: 2.5 |
| url: | http://www.kb.cert.org/vuls/id/790771 | Trust: 2.5 |
| url: | http://www.ciac.org/ciac/bulletins/o-072.shtml | Trust: 2.5 |
| url: | http://xforce.iss.net/xforce/xfdb/14149 | Trust: 2.2 |
| url: | http://marc.theaimsgroup.com/?l=bugtraq&m=107604682227031&w=2 | Trust: 1.2 |
| url: | https://exchange.xforce.ibmcloud.com/vulnerabilities/14149 | Trust: 1.1 |
| url: | http://marc.info/?l=bugtraq&m=107604682227031&w=2 | Trust: 1.0 |
| url: | http://www.secunia.com/advisories/10794/ | Trust: 0.8 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0039 | Trust: 0.8 |
| url: | http://www.jpcert.or.jp/wr/2004/wr040601.txt | Trust: 0.8 |
| url: | http://jvn.jp/cert/jvnta04-036a | Trust: 0.8 |
| url: | http://jvn.jp/tr/trta04-036a | Trust: 0.8 |
| url: | http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0039 | Trust: 0.8 |
| url: | http://www.isskk.co.jp/support/techinfo/general/checkpoint_fw1_162.html | Trust: 0.8 |
| url: | http://www.checkpoint.com/techsupport/ | Trust: 0.3 |
| url: | http://marc.info/?l=bugtraq&m=107604682227031&w=2 | Trust: 0.1 |
CREDITS
Mark Dowd
Trust: 0.6
SOURCES
| db: | CERT/CC | id: | VU#790771 |
| db: | VULHUB | id: | VHN-8469 |
| db: | BID | id: | 9581 |
| db: | JVNDB | id: | JVNDB-2004-000032 |
| db: | PACKETSTORM | id: | 32633 |
| db: | CNNVD | id: | CNNVD-200403-032 |
| db: | NVD | id: | CVE-2004-0039 |
LAST UPDATE DATE
2024-08-14T13:17:16.944000+00:00
SOURCES UPDATE DATE
| db: | CERT/CC | id: | VU#790771 | date: | 2004-04-23T00:00:00 |
| db: | VULHUB | id: | VHN-8469 | date: | 2017-07-11T00:00:00 |
| db: | BID | id: | 9581 | date: | 2009-07-12T02:06:00 |
| db: | JVNDB | id: | JVNDB-2004-000032 | date: | 2007-04-01T00:00:00 |
| db: | CNNVD | id: | CNNVD-200403-032 | date: | 2006-01-03T00:00:00 |
| db: | NVD | id: | CVE-2004-0039 | date: | 2017-07-11T01:29:52.557 |
SOURCES RELEASE DATE
| db: | CERT/CC | id: | VU#790771 | date: | 2004-02-05T00:00:00 |
| db: | VULHUB | id: | VHN-8469 | date: | 2004-03-03T00:00:00 |
| db: | BID | id: | 9581 | date: | 2004-02-05T00:00:00 |
| db: | JVNDB | id: | JVNDB-2004-000032 | date: | 2007-04-01T00:00:00 |
| db: | PACKETSTORM | id: | 32633 | date: | 2004-02-06T00:08:00 |
| db: | CNNVD | id: | CNNVD-200403-032 | date: | 2004-02-05T00:00:00 |
| db: | NVD | id: | CVE-2004-0039 | date: | 2004-03-03T05:00:00 |